https://community.splunk.com/t5/Splunk-Search/Difference-between-lastTime-and-recentTime-in-metadata-output/m-p/62193#M15364 <P>Can someone explain the distinction between the <CODE>lastTime</CODE> and <CODE>recentTime</CODE> fields in the output of the <CODE>| metadata</CODE> command?</P> Fri, 01 Oct 2010 22:00:19 GMT southeringtonp 2010-10-01T22:00:19Z https://community.splunk.com/t5/Splunk-Search/Difference-between-lastTime-and-recentTime-in-metadata-output/m-p/62193#M15364 <P>Can someone explain the distinction between the <CODE>lastTime</CODE> and <CODE>recentTime</CODE> fields in the output of the <CODE>| metadata</CODE> command?</P> Fri, 01 Oct 2010 22:00:19 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-lastTime-and-recentTime-in-metadata-output/m-p/62193#M15364 southeringtonp 2010-10-01T22:00:19Z https://community.splunk.com/t5/Splunk-Search/Difference-between-lastTime-and-recentTime-in-metadata-output/m-p/62194#M15365 <P><CODE>firstTime</CODE> and <CODE>lastTime</CODE> show you the bounds of your timestamps for the entry in question. Think of this like <CODE>| stats min(_time) as firstTime, max(_time) as lastTime</CODE>.</P> <P>The <CODE>recentTime</CODE> is the last timestamp that splunk received for the given entry in question. (This would be something like <CODE>| sort -_indextime | head 1 | rename _time as recentTime</CODE>.)</P> <P>Keep in mind that the <CODE>metadata</CODE> command is really just pulling in saved statistics about your host/source/sourcetype that are stored within an individual index. (You can see them in the <CODE>*.data</CODE> files within the index folder and under individual bucket folders.) Keep in mind that the search examples above are really only meant to give you a comparable idea of what's going on, but they are probably over simplified.</P> <P></P><HR /><P></P> <P>So, unless you have events coming in out of order, then <CODE>lastTime</CODE> and <CODE>recentTime</CODE> will probably contain the same value.</P> Fri, 01 Oct 2010 22:04:40 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-lastTime-and-recentTime-in-metadata-output/m-p/62194#M15365 Lowell 2010-10-01T22:04:40Z https://community.splunk.com/t5/Splunk-Search/Difference-between-lastTime-and-recentTime-in-metadata-output/m-p/62195#M15366 <P>The question has been answered before: <A href="http://answers.splunk.com/questions/5626/what-is-the-difference-between-lasttime-and-recenttime-in-a-metadata-search/5630#5630" rel="nofollow">http://answers.splunk.com/questions/5626/what-is-the-difference-between-lasttime-and-recenttime-in-a-metadata-search/5630#5630</A></P> <P>It seems like recentTime is (possibly extracted) timestamp of the last event that has gotten into the index and lastTime is the latest timestamp found in the index - <CODE>max(_time)</CODE>.</P> <P>So none of the values would represent <CODE>max(_indextime)</CODE> as I understood.</P> Fri, 01 Oct 2010 22:18:04 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-lastTime-and-recentTime-in-metadata-output/m-p/62195#M15366 ziegfried 2010-10-01T22:18:04Z https://community.splunk.com/t5/Splunk-Search/Difference-between-lastTime-and-recentTime-in-metadata-output/m-p/62196#M15367 <P>After looking closer at the values, I think you are correct about the <CODE>max(_indextime)</CODE> thing. I've updated my answer accordingly. Thanks for pointing this out.</P> Sat, 02 Oct 2010 02:43:06 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-lastTime-and-recentTime-in-metadata-output/m-p/62196#M15367 Lowell 2010-10-02T02:43:06Z https://community.splunk.com/t5/Splunk-Search/Difference-between-lastTime-and-recentTime-in-metadata-output/m-p/62197#M15368 <P>Let me know if this is better suited as a separate question:</P> <P>Is it a correct interpretation to say that if using metadata like this:</P> <PRE><CODE>( index=* OR index=_* ) type=hosts </CODE></PRE> <P>then the recentTime is the timestamp for the last event from each of the hosts while the lastTime is the last thing we "heard" from that host's forwarder?</P> <P>Said another way, if a forwarder does not see anything new written to a log file that it monitors, the recentTime will start to get older. If that same forwarder is forwarding it's _internal|_audit data then the lastTime may be more recent due to normal forwarder/indexer communication.</P> <P>Is that correct? I'm asking because I realize this could be an effective way to monitor for forwarders that stopped communicating with indexers.</P> Mon, 28 Sep 2020 15:49:45 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-lastTime-and-recentTime-in-metadata-output/m-p/62197#M15368 sloshburch 2020-09-28T15:49:45Z https://community.splunk.com/t5/Splunk-Search/Difference-between-lastTime-and-recentTime-in-metadata-output/m-p/62198#M15369 <P>A lot of Splunk articles say that <CODE>recentTime</CODE> and <CODE>localTime</CODE> will be the same, but that's not true if your devices don't all store data in UTC time.</P> <P>In our experience, <CODE>recentTime</CODE> is relative to the local time of whoever is conducting the search, while <CODE>lastTime</CODE> is the latest timestamp reported by the device and stored inside an index.</P> <P>If you have devices in different timezones (in other words, you don't use GMT/UTC), you need to be careful about the different commands. Example: If you want an alert on devices that haven't reported to an index in the last 1800 seconds, we use <CODE>recentTime</CODE> so that everything is relative to the local time:<BR /> <CODE>| metadata index=indexname type=hosts | eval age=now()-recentTime | search age&gt;1800</CODE></P> <P>If you use <CODE>lastTime</CODE>, your ages will be all over the place because devices are reporting from different timezones. A negative age means the device is in a timezone ahead of yours, so it thinks the device is in the future.</P> <P>If you want to see for yourself, try <CODE>| metadata index=indexname type=hosts | eval age=now()-recentTime</CODE> and then try <CODE>| metadata index=indexname type=hosts | eval age=now()-lastTime</CODE> and see the difference in ages.</P> <P>Summary<BR /> <CODE>recentTime</CODE>: Timezone of the search head/indexer<BR /> <CODE>lastTime</CODE>: Last timestamp seen in the data (potentially a different timezone)</P> Wed, 09 Sep 2015 14:39:38 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-lastTime-and-recentTime-in-metadata-output/m-p/62198#M15369 ahjmcaleer 2015-09-09T14:39:38Z https://community.splunk.com/t5/Splunk-Search/Difference-between-lastTime-and-recentTime-in-metadata-output/m-p/62199#M15370 <P>Never thought about it that way.</P> <P>The way I've been thinking about it going forward was that one represented the time of the last seen event (_time) while the other was the time the last event was indexed (_indextime). The docs page has since been updated nicely: <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata" target="_blank">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Metadata</A></P> <P>The <STRONG>lastTime</STRONG> field is the <STRONG>timestamp</STRONG> for the last time that the indexer saw an event from this host.<BR /> The <STRONG>recentTime</STRONG> field is the <STRONG>indextime</STRONG> for the most recent time that the index saw an event from this </P> Tue, 29 Sep 2020 07:14:49 GMT https://community.splunk.com/t5/Splunk-Search/Difference-between-lastTime-and-recentTime-in-metadata-output/m-p/62199#M15370 sloshburch 2020-09-29T07:14:49Z